-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(synthetics): canary permissions for cloudwatch logging are malformed #18910
Labels
@aws-cdk/aws-synthetics
Related to Amazon CloudWatch Synthetics
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p1
Comments
wilhen01
added
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
labels
Feb 10, 2022
github-actions
bot
added
the
@aws-cdk/aws-synthetics
Related to Amazon CloudWatch Synthetics
label
Feb 10, 2022
kaizencc
added
effort/small
Small work item – less than a day of effort
p1
and removed
needs-triage
This issue or PR still needs to be triaged.
labels
Feb 11, 2022
Thanks for the report, @wilhen01! This looks like a long-standing bug. Happy to get a fix in momentarily. |
mergify bot
pushed a commit
that referenced
this issue
Feb 14, 2022
…tch logs (#18946) The generated role did not have the correct permissions to create cloudwatch logs, so even if the canary successfully deployed and ran, no cloudwatch streams were generated for the resource. This seems to be a long-standing bug in the synthetics module. What was missing was the region and account id, which should be the same region/account as the created canary. Fixes #18910. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
TikiTDO
pushed a commit
to TikiTDO/aws-cdk
that referenced
this issue
Feb 21, 2022
…tch logs (aws#18946) The generated role did not have the correct permissions to create cloudwatch logs, so even if the canary successfully deployed and ran, no cloudwatch streams were generated for the resource. This seems to be a long-standing bug in the synthetics module. What was missing was the region and account id, which should be the same region/account as the created canary. Fixes aws#18910. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
@aws-cdk/aws-synthetics
Related to Amazon CloudWatch Synthetics
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p1
What is the problem?
When creating a canary using
@aws-cdk/aws-synthetics-alpha
version2.10.0-alpha.0
and using the default role creation, the permissions allow the canary to run but it doesn't create logs in CloudWatch. I've traced this to the policy that is created around logging, which is generated as follows:The
Resource
element is missing a region. It can be rectified by adding a more specific policy statement to thecdk
code e.g.Reproduction Steps
What did you expect to happen?
Canary can create and write to CloudWatch logs with default role permissions
What actually happened?
Canary cannot create or write to CloudWatch logs with default role permissions
CDK CLI Version
2.10.0 (build e5b301f)
Framework Version
No response
Node.js Version
v14.15.5
OS
Mac OS / CodeBuild (same results locally and on CI)
Language
Typescript
Language Version
Typescript (4.2.4)
Other information
No response
The text was updated successfully, but these errors were encountered: